Product/Version
Certified Privnote (https://certified.privnote.com)
Function as provided in September 2010
View the Certified Privnote certificate
Cert. No.
DE-100021
Gültigkeit
25/10/2010 until 31/10/2012
Kurzgutachten
Certified Privnote Public Report [PDF]
Manufacturer/Provider
Baladir S.A.
Iturriaga 3429/1
11300 Montevideo
Uruguay
BEST
Certied Privnote makes use of data minimisation measures: No extra information besides notes’ contents and users’ IP addresses is required to use the service. Messages are deleted upon initial retrieval or after 30 days if they have not been retrieved at all. IP addresses are not stored but only used for the purpose of communication.
The service guarantees the confidentiality of the notes by using both, a browser and a server site encryption as well as an SSL transport security mechanism.
ATTENTION:
When sending the URL to the recipient of a note, the note’s creator should keep in mind that there may be a certain risk that third parties intercept this communication, get knowledge of the URL and thus may be able to access the message in plain text. The actual risk depends on the communication channel of choice (phone, fax, SMS, instant messaging, email etc.).
Miscellaneous
Whenever the Certified Privnote service is used with Mozilla Firefox, it is recommended to verify that the JavaScript – that encrypts the note – is actually running. This is possible by using the add-on JavaScript Deobfuscator. This add-on shows all the java scripts that are embedded in the website and run in the user’s browser.
Summary
Certified Privnote is a free web based service that provides users with an easy method to exchange encrypted notes via the Internet. Messages are encrypted and stored on the Certified Privnote server. They can be accessed via a specific URL that is generated from the encryption keys and disclosed to the note’s creator. The creator must communicate the URL to the recipient via his communication channel of choice (e.g., phone, fax, SMS, instant messaging, email). After entering the URL in the address bar of his browser, the recipient is able to access, decrypt and read the message.
Details
The exchange of encrypted messages by means of the Certified Privnote service consists of the following steps:
First of all, the user enters the message in the text field on the Certified Privnote website and clicks the “Create Note” button. Thereupon, the note’s content is encrypted in the creator’s browser with a random key and sent to the Certified Privnote server. Certified Privnote then encrypts the received data with another random key, stores it, and returns this key to the note’s creator. Subsequently, the creator’s browser generates a unique URL for accessing and decrypting the note by adding the two random keys.
In the next step, the URL is to be communicated to the designated recipient of the message. Therefor, the note’s creator sends it to the recipient via his communication channel of choice (phone, fax, SMS, instant messaging, email, etc.). The recipient copies and pastes the URL to the address bar of his browser. This enables him to access, decrypt and read the message.
Once a note is accessed for the first time, its content is destroyed immediately and the link to the note becomes useless. If the URL is retrieved therinafter, the retrieving person is informed that the note does not exist (any more). In event of a URL not being retrieved for a period of 30 days, all the note’s data is automatically and fully deleted from Certified Privnote’s servers.
The ToE is the IT-based service Certified Privnote as provided via https://certified.privnote.de.
The ToE does not include:
- The IT-based service Privnote as provided via https://privnote.com
- External widgets and applications provided via https://privnote.com
Technical Evaluator
José Luis Rivas López
Santa Marty 52, 1°
36202 Vigo
Spain
Legal Evaluator
Fernado Ramos Suárez Lener
Paseo de la Castellana 23, 1° planta
28046 Madrid
Spain